What it takes to be a CSSLP

Recently someone asked me how to get certified, books to study, etc. I got certified last year and didn't write a post about that, so it's a great opportunity to share some thoughts.

I studied 6 hours a day for 30 days without breaks using solely the official CSSLP book from Mano Paul. That plus a application development background were enough to pass the exam with an approximation of 90%+ correct answers based on my simulations on studISCope, which is a website from Mano as well.

However, differently from other certifications on the information security field, this is one that you should have a development background. If you don't have this background and just want one more certification to your resumé, please stop.

Security is the top layer in what you do. How can you protect something if you don't know how it works? Don't jump steps. Learn development first and then move to information security. Not the other way around. Without development background, you will be incomplete, you won't be able to speak to developers properly, much less persuade them to implement security controls. Basically a failure.

So, prior to touch the book, make at least a web application using a MVC framework. The more difficult what you have to develop, the better. MVC stands for Model View Controller and it's a design pattern. Learn those as well.

Today is easy and is getting easier to make your first application. You can try Ruby on Rails (Ruby), Laravel (PHP), Phoenix (Elixir) or any flavor you want. Just do it.